Threat Research

Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor

Symantec
Harvester: APT Group Expands Toolset With New GoGra Linux Backdoor
Harvester has developed a new Linux variant of its GoGra backdoor that abuses the Microsoft Graph API and Outlook mailboxes as a covert C2 channel, using hardcoded Azure AD application credentials to poll mailboxes and execute AES-encrypted tasks. Symantec and Carbon Black link the Linux implant to a prior Windows GoGra campaign, showing cross-platform code reuse, identical typos, and tailored decoy documents targeting South Asia. #GoGra #Harvester

Keypoints

  • Harvester released a highly evasive Linux GoGra backdoor that uses legitimate Microsoft Graph API calls and Outlook mailboxes as a covert C2 channel.
  • The Linux implant includes hardcoded, plaintext Azure AD application credentials that permit OAuth2 token requests for Graph API access.
  • Attackers use tailored social-engineering decoy documents and subtle filename masquerading (e.g., appending ” .pdf”) to trick users into executing ELF binaries.
  • The dropper writes the payload to ~/.config/systemd/user/userservice and ensures persistence via a systemd user unit and an XDG autostart entry disguised as Conky.
  • Commands are polled from a mailbox folder (e.g., “Zomato Pizza”), tasking is AES-encrypted and base64-wrapped, execution occurs via /bin/bash -c, and results are AES-encrypted and emailed back with ‘Output’ before the implant issues HTTP DELETE to remove evidence.
  • Analysis shows near-identical code and spelling/function-name typos between Linux and Windows variants, indicating a single developer and an active cross-platform development effort focused on South Asia (initial VT submissions from India and Afghanistan).

MITRE Techniques

  • [T1204 ] User Execution – Social-engineering lures deploy tailored decoy documents to induce victims to run the malicious payload (‘The attackers use social engineering lures to gain initial access to victim networks by deploying tailored decoy documents.’)
  • [T1036 ] Masquerading – Malicious ELF files are disguised as document files by appending extensions with a space to trick users into launching binaries (‘masquerading malicious ELF files as standard document files by appending extensions like “. pdf”, with a subtle space between the filename and the extension’)
  • [T1547 ] Boot or Logon Autostart Execution – Persistence is achieved via a systemd user unit and an XDG autostart entry to ensure execution after reboot (‘writes its internal payload to ~/.config/systemd/user/userservice and ensures execution upon system reboot by setting up a systemd user unit and an XDG autostart entry.’)
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The backdoor executes received commands using the system shell via /bin/bash -c (‘executes the payload on the host via /bin/bash -c.’)
  • [T1102 ] Web Service – The implant abuses Microsoft Graph API and Outlook mailboxes as a covert C2 channel, polling a mailbox folder with OData queries (‘uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel’ / ‘It uses OData queries to poll a specific mailbox folder, named “Zomato Pizza”, at two-second intervals.’)
  • [T1078 ] Valid Accounts – The malware includes hardcoded Azure AD application credentials (tenant ID, client ID, client secret) to obtain OAuth2 tokens for API access (‘inner i386 implant comes equipped with hardcoded, plaintext Azure AD application credentials, including a tenant ID, client ID, and client secret. These credentials allow the malware to request OAuth2 tokens from Microsoft.’)
  • [T1041 ] Exfiltration Over C2 Channel – Execution results are AES-encrypted and sent back via email, and the implant issues HTTP DELETE to remove the original tasking message (‘Execution results are AES-encrypted and emailed back to the operator via a reply message using the subject line ‘Output’. Following exfiltration, the implant issues an HTTP DELETE command to wipe the original tasking message and remove evidence of its presence.’)

Indicators of Compromise

  • [File Hashes ] GoGra Linux backdoor and delivery archives – 9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82, 2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1, and 4 more hashes.
  • [ZIP/File Names ] Archived dropper/archives used to distribute GoGra – TheExternalAffairesMinister.zip, (ZIP file containing GoGra Linux Backdoor), and other malicious archives.
  • [Decoy Filenames ] Lure documents used to trick victims – umrah.pdf, TheExternalAffairesMinister. pdf (note the space before extension), and other localized decoys like “Details Format. pdf”.
  • [Mailbox/Folders ] C2 mailbox folders abused for tasking – “Zomato Pizza” (Linux campaign), “Dragan Dash” (Windows variant).
  • [Persistence Paths ] Local persistence and executable path on compromised hosts – ~/.config/systemd/user/userservice, XDG autostart entry masquerading as Conky.

Read more: https://www.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint